Amazon Simple Queue Service
Developer Guide (API Version 2011-10-01)
AWS Documentation » Amazon Simple Queue Service Documentation » Developer Guide » Using The Access Policy Language » Amazon SQS Policy Examples
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Amazon SQS Policy Examples

This section shows example policies for common Amazon SQS use cases.

The following example policy gives the developer with AWS account number 123456789012 the SendMessage permission for the queue named 987654321098/queue1. 

{
  "Version": "2008-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_SendMessage",
       "Effect": "Allow",
       "Principal": {
            "AWS": "123456789012"
         },
        "Action": "sqs:SendMessage",
        "Resource": "/987654321098/queue1"
     }
}

The following example policy gives the developer with AWS account number 123456789012 both the SendMessage and ReceiveMessage permission for the queue named 987654321098/queue1. 

{
  "Version": "2008-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_Send_Receive",
       "Effect": "Allow",
       "Principal": {
          "AWS": "123456789012"
        },
        "Action": ["sqs:SendMessage","sqs:ReceiveMessage"],
        "Resource": "/987654321098/queue1"
     }
}

The following example policy gives two different developers (with AWS account numbers 123456789012 and 555566667777) permission to use all actions that SQS allows shared access for the queue named 987654321098/queue1. 

{
  "Version": "2008-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_AllActions",
       "Effect": "Allow",
       "Principal": {
          "AWS": ["123456789012","555566667777"]
        },
       "Action": "sqs:*",
       "Resource": "/987654321098/queue1"
    }
}

The following example policy gives all users ReceiveMessage permission for the queue named 987654321098/queue1. 

{
  "Version": "2008-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_AnonymousAccess_ReceiveMessage",
       "Effect": "Allow",
       "Principal": {
          "AWS": "*"
        },
       "Action": "sqs:ReceiveMessage",
       "Resource": "/987654321098/queue1"
    }
}

The following example policy gives all users ReceiveMessage permission for the queue named 987654321098/queue1, but only between noon and 3:00 p.m. on January 31, 2009. 

{
  "Version": "2008-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
     {
        "Sid":"Queue1_AnonymousAccess_ReceiveMessage_TimeLimit",
        "Effect": "Allow",
        "Principal": {
           "AWS": "*"
        },
        "Action": "sqs:ReceiveMessage",
        "Resource": "/987654321098/queue1",
        "Condition" : {
           "DateGreaterThan" : {
              "aws:CurrentTime":"2009-01-31T12:00Z"
           },
           "DateLessThan" : {
              "aws:CurrentTime":"2009-01-31T15:00Z"
           }
        }
     }
}

The following example policy gives all users permission to use all possible SQS actions that can be shared for the queue named 987654321098/queue1, but only if the request comes from the 192.168.143.0/24 range. 

{
  "Version": "2008-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
     {
        "Sid":"Queue1_AnonymousAccess_AllActions_WhitelistIP",
        "Effect": "Allow",
        "Principal": {
           "AWS": "*"
         },
        "Action": "sqs:*",
        "Resource": "/987654321098/queue1",
        "Condition" : {
            "IpAddress" : {
            "aws:SourceIp":"192.168.143.0/24"
            }
        }
     }
}

The following example policy has two statements:

  • One that gives all users in the 192.168.143.0/24 range (except for 192.168.143.188) permission to use the SendMessage action for the queue named 987654321098/queue1.

  • One that blacklists all users in the 10.1.2.0/24 range from using the queue.

{
  "Version": "2008-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": [
     {
         "Sid":"Queue1_AnonymousAccess_SendMessage_IPLimit",
         "Effect": "Allow",
         "Principal": {
            "AWS": "*"
         },
         "Action": "sqs:SendMessage",
         "Resource": "/987654321098/queue1",
          "Condition" : {
             "IpAddress" : {
             "aws:SourceIp":"192.168.143.0/24"
             },
             "NotIpAddress" : {
             "aws:SourceIp":"192.168.143.188/32"
              }
          }
     },
     {
         "Sid":"Queue1_AnonymousAccess_AllActions_IPLimit_Deny",
         "Effect": "Deny",
         "Principal": {
            "AWS": "*"
         },
         "Action": "sqs:*",
         "Resource": "/987654321098/queue1",
         "Condition" : {
            "IpAddress" : {
            "aws:SourceIp":"10.1.2.0/24"
            }
         }
     }
  ]
  }

The following example policy enables a connection between the Amazon Simple Notification Service topic specified by the Amazon Resource Name (ARN) arn:aws:sns:us-east-1:599169622985:test-topic and the queue named arn:aws:sqs:us-east-1:599169622985:test-topic-queue. 

{
  "Version": "2008-10-17",
  "Id": "SNStoSQS",
  "Statement": 
     {
        "Sid":"rule1",
        "Effect": "Allow",
        "Principal": {
           "AWS": "*"
         },
        "Action": "sqs:*",
        "Resource": "arn:aws:sqs:us-east-1:599169622985:test-topic-queue",
        "Condition" : {
            "StringEquals" : {
            "aws:SourceArn":"arn:aws:sns:us-east-1:599169622985:test-topic"
            }
        }
     }
}
Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...